Merge pull request #7698 from Snuffleupagus/bug-1308536

Ignore reserved commands when parsing operands in `CFFParser_parseDict`, instead of just rejecting the entire font (bug 1308536)

src/core/cff_parser.js

@@ -349,9 +349,9 @@ var CFFParser = (function CFFParserClosure() {
         } else if (value >= 251 && value <= 254) {
           return -((value - 251) * 256) - dict[pos++] - 108;
         } else {
-          error('255 is not a valid DICT command');
+          warn('CFFParser_parseDict: "' + value + '" is a reserved command.');
+          return NaN;
         }
-        return -1;
       }
 
       function parseFloatOperand() {
@@ -1000,19 +1000,22 @@ var CFFDict = (function CFFDictClosure() {
       if (!(key in this.keyToNameMap)) {
         return false;
       }
+      var valueLength = value.length;
       // ignore empty values
-      if (value.length === 0) {
+      if (valueLength === 0) {
         return true;
       }
+      // Ignore invalid values (fixes bug1068432.pdf and bug1308536.pdf).
+      for (var i = 0; i < valueLength; i++) {
+        if (isNaN(value[i])) {
+          warn('Invalid CFFDict value: "' + value + '" for key "' + key + '".');
+          return true;
+        }
+      }
       var type = this.types[key];
       // remove the array wrapping these types of values
       if (type === 'num' || type === 'sid' || type === 'offset') {
         value = value[0];
-        // Ignore invalid values (fixes bug 1068432).
-        if (isNaN(value)) {
-          warn('Invalid CFFDict value: ' + value + ', for key: ' + key + '.');
-          return true;
-        }
       }
       this.values[key] = value;
       return true;

test/pdfs/.gitignore

@@ -55,6 +55,7 @@
 !bug1068432.pdf
 !bug1146106.pdf
 !bug1252420.pdf
+!bug1308536.pdf
 !issue5564_reduced.pdf
 !canvas.pdf
 !bug1132849.pdf

test/test_manifest.json

@@ -784,6 +784,13 @@
        "link": false,
        "type": "load"
     },
+    {  "id": "bug1308536",
+       "file": "pdfs/bug1308536.pdf",
+       "md5": "cc2258981e33ad8d96acbf87318716d5",
+       "rounds": 1,
+       "link": false,
+       "type": "eq"
+    },
     {  "id": "bug1252420",
        "file": "pdfs/bug1252420.pdf",
        "md5": "f21c911b9b655972b06ef782a1fa6a17",

test/unit/cff_parser_spec.js

@@ -1,5 +1,6 @@
-/* globals describe, it, expect, beforeAll, afterAll, Stream, CFFParser,
-           SEAC_ANALYSIS_ENABLED, CFFIndex, CFFStrings, CFFCompiler */
+/* globals describe, it, expect, beforeAll, afterAll, beforeEach, afterEach,
+           Stream, CFFParser, SEAC_ANALYSIS_ENABLED, CFFIndex, CFFStrings,
+           CFFCompiler */
 
 'use strict';
 
@@ -33,14 +34,22 @@ describe('CFFParser', function() {
       fontArr.push(parseInt(hex, 16));
     }
     fontData = new Stream(fontArr);
+    done();
+  });
 
+  afterAll(function () {
+    fontData = null;
+  });
+
+  beforeEach(function (done) {
     parser = new CFFParser(fontData, {}, SEAC_ANALYSIS_ENABLED);
     cff = parser.parse();
     done();
   });
 
-  afterAll(function () {
-    fontData = parser = cff = null;
+  afterEach(function (done) {
+    parser = cff = null;
+    done();
   });
 
   it('parses header', function() {
@@ -104,6 +113,24 @@ describe('CFFParser', function() {
     expect(topDict.getByName('UnderlinePosition')).toEqual(defaultValue);
   });
 
+  it('ignores reserved commands in parseDict, and refuses to add privateDict ' +
+     'keys with invalid values (bug 1308536)', function () {
+    var bytes = new Uint8Array([
+      64, 39, 31, 30, 252, 114, 137, 115, 79, 30, 197, 119, 2, 99, 127, 6
+    ]);
+    parser.bytes = bytes;
+    var topDict = cff.topDict;
+    topDict.setByName('Private', [bytes.length, 0]);
+
+    var parsePrivateDict = function () {
+      parser.parsePrivateDict(topDict);
+    };
+    expect(parsePrivateDict).not.toThrow();
+
+    var privateDict = topDict.privateDict;
+    expect(privateDict.getByName('BlueValues')).toBeNull();
+  });
+
   it('parses a CharString having cntrmask', function() {
     var bytes = new Uint8Array([0, 1, // count
                                 1,  // offsetSize